[websec] Protocol Action: 'The Web Origin Concept' to Proposed Standard (draft-ietf-websec-origin-06.txt)
The IESG has approved the following document: - 'The Web Origin Concept' (draft-ietf-websec-origin-06.txt) as a Proposed Standard This document is the product of the Web Security Working Group. The IESG contact persons are Peter Saint-Andre and Pete Resnick. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-websec-origin/ Technical Summary This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document defines how to determine the origin of a URI, how to serialize an origin into a string, and an HTTP header, named "Origin", that indicates which origins are associated with an HTTP request. Working Group Summary There was nothing particularly worth noting about the WG process. Specifically there was no strong controversy about this document. The document received sufficient review from WG participants and individuals outside the WG. Furthermore, reviews also covered document versions before their adoption by the WG or even prior to the formation of the WebSec WG (i.e., draft-abarth-origin and draft-abarth-principles-of-origin). Document Quality The origin concept is widely used in the web browser and application environment to determine trusted sources. Still it may be noteworthy that some current implementations of the origin concept may differ in whether all three elements of the origin-tuple must be identical to constitute identity of origin (in some current browser implementations the scheme or port might receive less weight). The text regarding comparison of internationalized domain names benefited from extensive discussion with Patrik Faltstrom, Jeff Hodges, John Klensin, and Pete Resnick. ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] [decade] Updated, updated DIGEST spec
Actually the proposal is to merge my proposal with the ni scheme made by Stephen et. al. I generally recon that if two independent proposals converge on essentially the same thing it probably means it is on the right track. At worst it is a necessary dead end that has to be explored:-) On Wed, Oct 5, 2011 at 10:08 AM, Rahman, Akbar wrote: > Hi Phillip, > > > I read through your draft and it was quite interesting. For DECADE, are > you proposing to use your scheme for the naming of DECADE objects or for > some other purpose? Please excuse me if the question had already been > discussed as I must have missed it. > > > Akbar > > > > -Original Message- > From: decade-boun...@ietf.org [mailto:decade-boun...@ietf.org] On Behalf > Of Phillip Hallam-Baker > Sent: Tuesday, October 04, 2011 1:55 PM > To: websec; dec...@ietf.org > Subject: [decade] Updated, updated DIGEST spec > > In response to comments on and off list, I have revved the draft to > produce a -02 > > * Have fixed the omission of the scheme and algorithm in > /.well-known/di/sha-256 > * Have changed the colon separating the algorithm and the digest to a > semi-colon on advice that some parsers will choke otherwise > * Have taken out the SHA-128 scheme and instead put in support for > truncation on an arbitrary 32 bit boundary. [This needs a security > consideration of course] > > I guess I should have added the acknowledgements section as well. > > > Stephen and I have had discussions off list. If all goes well this > should be the last version of this draft before we get to a merge. The > outcome that seems to be most likely to suit people's needs would be > to have two drafts. The first would just have the core syntax and > security considerations for using digest identifiers. The second would > have all the interesting stuff link locators and encryption and stuff. > Content-type would likely be in the second. > > I am going off to write some code. > > -- > Website: http://hallambaker.com/ > ___ > decade mailing list > dec...@ietf.org > https://www.ietf.org/mailman/listinfo/decade > -- Website: http://hallambaker.com/ ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] I-D Action: draft-ietf-websec-origin-05.txt
On 2011-09-23 09:29, Julian Reschke wrote: ... 1. NOTE: Running this algorithm multiple times for the same URI can produce different values each time. Typically, user agents compute the origin of, for example, an HTML document once and use that origin for subsequent security checks rather than recomputing the origin for each security check. It seems the NOTE shouldn't be in a numbered list (same for item 4). ... Draft -06 has another instance of this nit :-) b) "null" in ABNF means case-insensitive; consider replacing with octet sequence and putting the literal "null" into a comment. ... You now have: origin-list-or-null = %x6E %x75 %x6C %x6C / origin-list You can make that origin-list-or-null = %x6E.75.6C.6C / origin-list and make it more readable by saying: null= %x6E.75.6C.6C ; "null", case-sensitive origin-list-or-null = null / origin-list Best regards, Julian ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] [decade] Updated, updated DIGEST spec
Hi Phillip, I read through your draft and it was quite interesting. For DECADE, are you proposing to use your scheme for the naming of DECADE objects or for some other purpose? Please excuse me if the question had already been discussed as I must have missed it. Akbar -Original Message- From: decade-boun...@ietf.org [mailto:decade-boun...@ietf.org] On Behalf Of Phillip Hallam-Baker Sent: Tuesday, October 04, 2011 1:55 PM To: websec; dec...@ietf.org Subject: [decade] Updated, updated DIGEST spec In response to comments on and off list, I have revved the draft to produce a -02 * Have fixed the omission of the scheme and algorithm in /.well-known/di/sha-256 * Have changed the colon separating the algorithm and the digest to a semi-colon on advice that some parsers will choke otherwise * Have taken out the SHA-128 scheme and instead put in support for truncation on an arbitrary 32 bit boundary. [This needs a security consideration of course] I guess I should have added the acknowledgements section as well. Stephen and I have had discussions off list. If all goes well this should be the last version of this draft before we get to a merge. The outcome that seems to be most likely to suit people's needs would be to have two drafts. The first would just have the core syntax and security considerations for using digest identifiers. The second would have all the interesting stuff link locators and encryption and stuff. Content-type would likely be in the second. I am going off to write some code. -- Website: http://hallambaker.com/ ___ decade mailing list dec...@ietf.org https://www.ietf.org/mailman/listinfo/decade ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec